Adding a DPoD HSM on Demand Service

Luna HSM Client allows you to use both Luna partitions and Data Protection on Demand's HSM on Demand services. Using a single client workstation, you can back up or migrate your keys between Luna and HSMoD, or combine partitions and services into an HA group.

The standard Luna HSM Client configuration file requires some special editing to add an HSMoD service. This procedure will allow you to add an HSMoD service to your existing Luna HSM Client.

NOTE   This feature requires minimum client version 10.1. See Version Dependencies by Feature for more information

Prerequisites

>DPoD supports Windows and Linux operating systems only. This procedure presumes that you have already set up Luna HSM Client on your Windows or Linux workstation:

Windows Luna HSM Client Installation

Linux Luna HSM Client Installation

>You must be using Luna HSM Client software version 10.1 or higher (see Updating the Luna HSM Client Software).

> HSMoD services are only compatible with password-authenticated SafeNet Luna Network HSM partitions. For more information on Luna/DPoD compatibility, refer to Cloning Keys Between Luna 6, Luna 7, and HSM on Demand. You can still use HSMoD and PED-authenticated Luna partitions from the same client workstation, but they cannot clone cryptographic objects between them.

>You must purchase an HSMoD service from SafeNet Data Protection on Demand:

https://safenet.gemalto.com/data-protection-on-demand/

To add a DPoD HSM on Demand service to an existing Luna HSM Client

1.After purchasing an HSMoD service, refer to the DPoD documentation for instructions on downloading the DPoD client package. Transfer the .zip file to your Luna HSM Client workstation using pscp, scp, or other secure means.

2.Extract the .zip file into a directory on your client workstation.

3.Extract or untar the appropriate client package for your operating system. Do not extract to a new subdirectory; place the files in the DPoD client install directory. The other client package can be safely deleted.

[Windows] cvclient-min.zip

[Linux] cvclient-min.tar

# tar -xvf cvclient-min.tar

4.Run the provided script to create a new configuration file containing information required by the HSMoD service.

[Windows] Right-click setenv.cmd and select Run as Administrator.

[Linux] Source the setenv script.

# source ./setenv

5.Copy the server certificate from the DPoD client directory to your existing client certificates directory:

[Windows default] C:\Program Files\Safenet\Lunaclient\cert\

[Linux default] /usr/safenet/lunaclient/cert/

server-certificate.pem

partition-ca-certificate.pem

partition-certificate.pem

6.Open the configuration file in the DPoD client directory.

[Windows] crystoki.ini

[Linux] Chrystoki.conf

7.Copy the following sections from the DPoD configuration file to the existing version in the Luna HSM Client install directory. Edit the entries to use the correct filepath to the certificates you copied in step 5:

[XTC]
Enabled=1
PartitionCAPath=<client_cert_directory>\partition-ca-certificate.pem
PartitionCertPath00=<client_cert_directory>\partition-certificate.pem
TimeoutSec=600

[REST]
ClientConnectIntervalMs=1000
ClientConnectRetryCount=900
ClientEofRetryCount=15
ClientPoolSize=32
ClientTimeoutSec=120
CVAppSpecificData=90vNGg10a8uVBmO8zmEVRA==
RestClient=1
ServerName=na.hsm.dpod.live
ServerPort=443
SSLClientSideVerifyFile=<client_cert_directory>\server-certificate.pem

Also copy the following entry from the Misc section and edit to use the correct filepath to the plugins directory:

[Misc]
PluginModuleDir=<client_plugins_directory>

[Windows default] C:\Program Files\Safenet\Lunaclient\plugins\

[Linux default] /usr/safenet/lunaclient/plugins/

NOTE   The above example is taken from a Windows crystoki.ini file; for a Linux client platform, the Chrystoki.conf file uses the same entries in Linux syntax (Misc = { instead of [Misc], etc).

Save the configuration file. If you wish, you can now safely delete the extracted DPoD client directory.

8.Manually reset the ChrystokiConfigurationPath environment variable back to the location of the original configuration file.

[Windows] In the Control Panel, search for "environment" and select Edit the system environment variables. Click Environment Variables. In both the list boxes for the current user and system variables, edit ChrystokiConfigurationPath to point to the crystoki.ini file in the original client install directory.

[Linux] Either open a new shell session, or reset the environment variable for the current session to the location of the original Chrystoki.conf file:

# export ChrystokiConfigurationPath=/etc/

9.Launch or relaunch LunaCM to verify that both your Luna partitions and HSMoD service are available.

You can now initialize the HSM on Demand service just as you would a password-authenticated Luna application partition. The cloning domain you set on the HSMoD service must match the partition(s) from which you will migrate keys. Refer to the Data Protection on Demand documentation for instructions and information on the capabilities of your HSMoD service.

>Initializing an Application Partition

>Initializing the Crypto Officer and Crypto User Roles

Refer to Cloning Keys Between Luna 6, Luna 7, and HSM on Demand before migrating keys or using the HSMoD service in an HA group. You can migrate keys to your new HSMoD service using direct slot-to-slot cloning, a SafeNet Luna Backup HSM, or by setting up an HA group.

>Cloning Objects to Another Application Partition

>Backup and Restore Using a G5-Based Backup HSM

>Setting Up an HA Group